Movatterモバイル変換

[0]ホーム
URL:

CN113297629A - Authentication method, device, system, electronic equipment and storage medium - Google Patents

Authentication method, device, system, electronic equipment and storage mediumDownload PDF

Info

Publication number
CN113297629A
CN113297629ACN202110577341.5ACN202110577341ACN113297629ACN 113297629 ACN113297629 ACN 113297629ACN 202110577341 ACN202110577341 ACN 202110577341ACN 113297629 ACN113297629 ACN 113297629A
Authority
CN
China
Prior art keywords
authority
user request
information
user
authentication mode
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110577341.5A
Other languages
Chinese (zh)
Other versions
CN113297629B (en
Inventor
楼炎锋
范渊
刘博�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co LtdfiledCriticalHangzhou Dbappsecurity Technology Co Ltd
Priority to CN202110577341.5ApriorityCriticalpatent/CN113297629B/en
Publication of CN113297629ApublicationCriticalpatent/CN113297629A/en
Application grantedgrantedCritical
Publication of CN113297629BpublicationCriticalpatent/CN113297629B/en
Activelegal-statusCriticalCurrent
Anticipated expirationlegal-statusCritical

Links

Images

Classifications

Landscapes

Abstract

Translated fromChinese

本申请公开了一种鉴权方法、系统、电子设备和存储介质,该方法包括:根据当前业务需求,切换至目标鉴权模式;当接收到用户请求时,拦截用户请求,并判断用户请求中的令牌信息是否合法;若是,则根据令牌信息与目标鉴权模式,检测用户请求的合法性;若用户请求合法,则将用户请求发送至网络安全能力中心,以使网络安全能力中心进行业务逻辑处理。该方法根据当前业务需求,可灵活切换至需要的鉴权模式即目标鉴权模式,即使在权限要求较高的情况下,也能切换至对应的鉴权模式,提高了系统的安全性能,避免了相关技术中只能使用常规的单一鉴权模式,且该模式只能适用于权限要求不高,难以满足安全性能需求的缺陷。

Figure 202110577341

The present application discloses an authentication method, system, electronic device and storage medium. The method includes: switching to a target authentication mode according to current business requirements; when receiving a user request, intercepting the user request, and judging that the user request is in progress Check whether the token information of the user is legal; if so, check the legality of the user request according to the token information and the target authentication mode; if the user request is legal, send the user request to the network security capability center, so that the network security capability center can carry out Business logic processing. According to the current business requirements, the method can flexibly switch to the required authentication mode, that is, the target authentication mode, and can switch to the corresponding authentication mode even in the case of high authority requirements, which improves the security performance of the system and avoids the need for Therefore, in the related art, only the conventional single authentication mode can be used, and this mode can only be applied to the defect that the authority requirements are not high and it is difficult to meet the security performance requirements.

Figure 202110577341

Description

Authentication method, device, system, electronic equipment and storage medium
Technical Field
The present application relates to the field of authentication technologies, and in particular, to an authentication method, apparatus, system, electronic device, and storage medium.
Background
At present, due to the requirement of government and enterprise units such as public security, internet mail, science and letter and the like on network security data control, a plurality of security operation manufacturers are often butted to purchase corresponding security operation products or services. The network security capability center is generated for the unified data intercommunication and operation control requirements among products or services of various manufacturers. Based on the scene, the network security capability center has access rights to all interfaces of the docking manufacturers, and when people or equipment dock the network security capability center, if the system can be accessed by any person, the system is extremely dangerous, so that a set of authentication system needs to be established.
The current authentication system only supports a single user-role-authority authentication mode, and because in the authentication mode, any person who owns the role can access the authority system, the person is easy to steal and modify information by a malicious person, and the system has security holes, and cannot meet the security requirements when the system has higher requirements on the authority.
Disclosure of Invention
The application aims to provide an authentication method, an authentication device, an authentication system, electronic equipment and a storage medium, an authentication mode is added, the authentication mode can be switched at will, and the safety performance of an authentication system is improved.
The specific scheme is as follows:
in a first aspect, the present application discloses an authentication method, including:
switching to a target authentication mode according to the current service requirement;
when a user request is received, intercepting the user request, and judging whether token information in the user request is legal or not;
if yes, detecting the legality of the user request according to the token information and the target authentication mode;
and if the user request is legal, sending the user request to a network security capability center so as to enable the network security capability center to perform service logic processing.
Optionally, the determining whether the token information in the user request is legal includes:
determining the token type of the token information according to the characteristics of the token information in the user request;
and determining whether the authority information corresponding to the token information exists under the token type.
Optionally, the determining whether the authority information corresponding to the token information exists in the token type includes:
if the token information belongs to the account password type, returning function authority information and equipment authority information, and judging whether authority information corresponding to the token information exists in the function authority information and the equipment authority information;
and if the token information belongs to the three-party authorization code type, returning the equipment authority information, and judging whether the equipment authority information has authority information corresponding to the token information.
Optionally, the detecting the validity of the user request according to the token information and the target authentication mode includes:
analyzing the token information to obtain user information;
and judging whether the authority associated table corresponding to the target authentication mode has authority information corresponding to the user information.
Optionally, the switching to the target authentication mode according to the current service requirement includes:
determining the authority level according to the service scene corresponding to the current service requirement;
if the authority level is smaller than a preset authority level threshold value, switching to a standard authentication mode, and taking the standard authentication mode as the target authentication mode; the standard authentication mode is a user-role-authority control mode;
if the authority level is greater than or equal to a preset authority level threshold value, switching to a fine authentication mode, and taking the fine authentication mode as the target authentication mode; and the authority control mode of user-authority or role-authority in the fine authentication mode.
Optionally, the detecting the validity of the user request according to the token information and the target authentication mode includes:
when the target authentication mode is a user-right authority control mode, analyzing the token information to obtain a user ID;
and judging whether the authority information corresponding to the user ID exists in the authority association table corresponding to the authority control mode of the user-authority.
In a second aspect, the present application discloses an authentication apparatus, comprising:
the switching module is used for switching to a target authentication mode according to the current service requirement;
the system comprises an interception module, a receiving module and a processing module, wherein the interception module is used for intercepting a user request when the user request is received and judging whether token information in the user request is legal or not;
the detection module is used for detecting the legality of the user request according to the token information and the target authentication mode if the token information and the target authentication mode exist;
and the sending module is used for sending the user request to a network security capability center if the user request is legal so as to enable the network security capability center to perform service logic processing.
In a third aspect, the present application discloses an authentication system, comprising:
the requester is used for sending a user request to the server;
the server is used for executing the steps of the authentication method; the server comprises an authentication center and a network security capability center;
the authentication center is used for intercepting the user request and judging whether the token information in the user request is legal or not; if yes, sending the user request to the network security capability center; and the network security capability center is used for receiving the user request and carrying out service logic processing according to the user request.
In a fourth aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the authentication method as described above when executing the computer program.
In a fifth aspect, the present application discloses a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the authentication method as described above.
The application provides an authentication method, comprising the following steps: switching to a target authentication mode according to the current service requirement; when a user request is received, intercepting the user request, and judging whether token information in the user request is legal or not; if yes, detecting the legality of the user request according to the token information and the target authentication mode; and if the user request is legal, sending the user request to a network security capability center so as to enable the network security capability center to perform service logic processing.
Therefore, the method and the device can be flexibly switched to the required authentication mode, namely the target authentication mode, according to the current service requirement, and can also be switched to the corresponding authentication mode even under the condition of higher authority requirement, so that the safety performance of the system is improved, the defect that the conventional single authentication mode can only be used in the related technology and can only be suitable for the defect that the authority requirement is not high and the safety performance requirement is difficult to meet is avoided, the authentication mode is added, the authentication mode can be switched at will, and the safety performance of an authentication system is improved. The application also provides an authentication device, an authentication system, an electronic device and a computer readable storage medium, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an authentication method according to an embodiment of the present application;
fig. 2 is a schematic diagram illustrating a right configuration of a standard authentication mode according to an embodiment of the present application;
fig. 3a is a schematic diagram of an authority configuration of a fine authentication mode according to an embodiment of the present application;
fig. 3b is a schematic diagram illustrating another authority configuration of the fine authentication mode according to the embodiment of the present application;
FIG. 4 is a schematic diagram of a system interaction timing sequence according to an embodiment of the present application;
FIG. 5 is a schematic diagram of token checking logic provided in an embodiment of the present application;
FIG. 6 is a schematic diagram of authentication logic provided in an embodiment of the present application;
fig. 7 is a schematic structural diagram of an authentication apparatus according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The authentication center is a mature technical solution in the market at present, but basically acts on identity information verification of an enterprise interior or an internet product, and mostly performs authority control of data access and operation with user-role-authority dimension. The conventional personnel-role-authority authentication system controls system functions, and for a capability center, the functional authority is a few, more is requests corresponding to equipment and equipment one by one, and different people have different equipment requests. How to manage is safer, and how to manage administrator configuration is more convenient is a problem needing to be mainly solved. The current authentication system has the following disadvantages: because each request of each device owned by the network security capability center needs to be subjected to authority control, the network security capability center needs to register standard capabilities to the authentication center, and if the standard capability change of the network security capability center is not notified or updated to the authentication center, the authentication center fails to control part of the authority; moreover, the authentication center and the network security capability center are strongly coupled when the user accesses, and if the authentication center fails, the access of the user with the authority will fail. The network security capability center is a unified docking platform for interfaces such as security monitoring, security scanning and security data acquisition provided by various three-party manufacturers. The authentication center is a unified identity authentication platform when a user or equipment requests a system.
Based on the above technical problem, this embodiment provides an authentication method, which adds an authentication mode, and can switch the authentication mode arbitrarily, so as to improve the security performance of an authentication system, specifically please refer to fig. 1, where fig. 1 is a flowchart of an authentication method provided in this embodiment of the present application, and specifically includes:
s101, switching to a target authentication mode according to the current service requirement.
The embodiment does not limit the specific content of the current service requirement, and may be determined according to the actual situation. In the embodiment, the authentication mode can be switched, and the defect that only a single conventional authentication mode is supported in the related technology can be overcome. The present embodiment does not limit the specific object of the target authentication mode, and may be a conventional standard authentication mode, a newly added fine authentication mode in the present embodiment, or other authentication modes (which may be set according to actual requirements).
The embodiment does not limit the specific process of switching to the target authentication mode. In a specific embodiment, the switching to the target authentication mode according to the current service requirement may include:
determining the authority level according to the service scene corresponding to the current service requirement;
if the authority level is smaller than the preset authority level threshold, switching to a standard authentication mode, and taking the standard authentication mode as a target authentication mode; the standard authentication mode is a user-role-authority control mode;
if the authority level is greater than or equal to the preset authority level threshold, switching to a fine authentication mode, and taking the fine authentication mode as a target authentication mode; a user-right or role-right authority control mode in the fine authentication mode.
According to the embodiment, a specific service scene is determined according to the current service requirement, and then the permission level is determined according to the specific service scene. It can be understood that different permission levels can be formulated in advance according to different service scenes, and the corresponding relationship between the service scenes and the permission levels can be stored in a table so as to determine the permission levels corresponding to specific service scenes according to the table. After the authority level is determined, if the authority level corresponding to the current service scene is smaller than a preset authority level threshold, which indicates that the authority requirement under the service scene is lower, the method can be switched to a standard authentication mode, namely, a user-role-authority control mode. Correspondingly, if the permission level corresponding to the current service scene is greater than or equal to the preset permission level threshold, which indicates that the permission requirement under the service scene is higher, the method can be switched to a fine authentication mode, namely, a user-permission or role-permission control mode. The specific size of the preset permission level threshold is not limited in this embodiment, and the setting can be performed according to the actual situation.
S102, when the user request is received, the user request is intercepted, and whether the token information in the user request is legal or not is judged.
The present embodiment does not limit the specific content requested by the user, and may be set according to actual requirements, for example, the request may be a request for requesting the manufacturer device to perform data acquisition. It is understood that token information is a credential used by a user or device to indicate identity information. And if the user request does not carry the token information, directly returning error information or rejecting the user request. If the user request carries token information, the validity of the token information needs to be further judged.
The embodiment does not limit the specific way of determining whether the token information in the user request is legal. In a specific embodiment, determining whether the token information in the user request is legal may include:
determining the token type of the token information according to the characteristics of the token information in the user request;
and under the token type, determining whether authority information corresponding to the token information exists.
The embodiment determines the token type of the token information according to the characteristics of the token information in the user request. It can be understood that the token information may be characterized by an http request header or a parameter value in a request link corresponding to the user request, for example, when the token information requested by the user is an authorization field, that is, a token, the token information represents an account password type; and when the token information requested by the user is the access field, the token is the three-party authentication token and represents the type of the three-party authorization code. After the token type of the token information is determined, whether authority information corresponding to the token information exists or not can be determined under the token type, and specifically, if the authority information corresponding to the token information exists, the token information in the user request is legal; and if the authority information corresponding to the token information does not exist, the token information in the user request is represented as illegal.
The embodiment does not limit the specific manner of determining whether the authority information corresponding to the token information exists according to the token type. In a specific embodiment, determining whether the authority information corresponding to the token information exists under the token type may include:
if the token information belongs to the account password type, returning the function authority information and the equipment authority information, and judging whether authority information corresponding to the token information exists in the function authority information and the equipment authority information or not;
if the token information belongs to the three-party authorization code type, returning the equipment authority information, and judging whether the equipment authority information has authority information corresponding to the token information.
In this embodiment, if the token information belongs to the account password type, the function permission information and the device permission information are returned. It can be understood that the functional authority information represents authority configuration information corresponding to a conventional standard authentication mode, i.e. an authority control mode of user-role-authority. Fig. 2 is a schematic diagram of authority configuration of the standard authentication mode provided in this embodiment. And under the standard authentication mode, the authority information is bound with the role, the user has what role, the role is associated with the equipment authority information, and the user requests the authority for the corresponding equipment according to the authority information associated with the role. For example, role a is associated with user device 1, device 2 rights, and user 3 is associated with role a, then end user 3 has the rights of devices 1, 2. The device authority information represents authority configuration information corresponding to a fine authentication mode, namely an authority control mode of user-authority or role-authority, provided by the application. Fig. 3a is a schematic diagram of an authority configuration of the fine authentication mode provided in this embodiment, and fig. 3b is a schematic diagram of another authority configuration of the fine authentication mode provided in this embodiment. And in the fine authentication mode, the authority information is directly associated to the user or the role, and if the authority information is associated to the role, the user corresponding to the role also has the corresponding authority. For example, if the role a owns the rights of the devices 1, 2, and the user has the right of the device 3, and the user has three rights associated with the role a, the final user has three rights of the devices 1, 2, 3. It can be understood that if the token information belongs to the account password type, returning the function permission information and the equipment permission information, analyzing the token information in the form of the account password, determining which user is, and then checking whether the permission information corresponding to the user exists in the function permission information and the equipment permission information, if so, determining that the user is legal; if not, it is illegal. Similarly, if the token information belongs to the type of the three-party authorization code, returning the equipment authority information, analyzing the token information in the form of the three-party authorization code, determining which user is, and then checking whether the authority information corresponding to the user exists in the equipment authority information, if so, judging that the authority information is legal; if not, it is illegal.
And S103, if yes, detecting the legality of the user request according to the token information and the target authentication mode.
After determining that the token information in the user request is legal, the embodiment further needs to determine whether the user request is legal. In this embodiment, the validity of the user request is determined according to the token information and the current authentication mode, i.e. the target authentication mode.
The embodiment does not limit the specific way of determining whether the user request is legal, and the method is determined according to the specific token information and the specific target authentication mode. In a specific embodiment, detecting the validity of the user request according to the token information and the target authentication mode may include:
analyzing the token information to obtain user information;
and judging whether the authority associated table corresponding to the target authentication mode has authority information corresponding to the user information.
In this embodiment, the user information is obtained by analyzing the token information, and the embodiment does not limit the specific content of the user information, and may include the user ID and the user role. After the user information is obtained, whether the authority information corresponding to the user information exists is checked through an authority association table corresponding to the target authentication mode, and if yes, the user request is legal; if not, the request is illegal on behalf of the user. The embodiment does not limit the specific content of the authority association table, as long as the corresponding authority can be matched according to the user or role information. For example, if the token information belongs to the account password type, the token information is analyzed in the account password mode to obtain the user ID and the role information, then the association query is performed according to the authority association table designed corresponding to the user ID and the role information, and the authority information of the user requested currently is obtained. If the token information belongs to the type of the three-party authorization code, the token information is analyzed in a three-party authorization code mode to obtain a user ID, then correlation query is carried out according to a permission correlation table designed corresponding to the user ID, and permission information of the user who requests at present is obtained. In a specific embodiment, detecting the validity of the user request according to the token information and the target authentication mode may include:
when the target authentication mode is a user-right authority control mode, analyzing the token information to obtain a user ID;
and judging whether the authority associated table corresponding to the authority control mode of the user-authority has authority information corresponding to the user ID.
And S104, if the user request is legal, sending the user request to the network security capability center so that the network security capability center performs service logic processing.
After determining that the user request is legal, the embodiment sends the user request to the network security capability center, so that the network security capability center performs service logic processing. The embodiment does not limit the specific content of the service logic processing performed by the network security capability center, and may be determined according to the actual request, and belongs to the subsequent operation of the authentication scheme provided in the present application.
Based on the above technical scheme, the present embodiment can flexibly switch to a required authentication mode, i.e. a target authentication mode, according to the current service requirement, and can also switch to a corresponding authentication mode even under the condition of higher authority requirement, thereby improving the security performance of the system, and avoiding the defect that only a conventional single authentication mode can be used in the related technology, and the mode can only be applicable to the defects that the authority requirement is not high, and the security performance requirement is difficult to meet.
The following provides an authentication center system, which comprises an authentication center and a network security capability center (capability center for short). The authentication mode in this embodiment is divided into a standard mode and a fine mode.
Standard mode rights specification: user-1: n-role-1: n-authority control, and batch authority control. The method is suitable for a scene with low fine granularity required by authority, and is used for carrying out batch authentication on users and roles. Fine mode rights description: user-1: n-device requests, each user directly associates rights information. The method is suitable for a scene that personnel authority control requirements are high, independent authority management of each user is achieved, and simple mode switching is configured: the authentication mode is maintained in the global variable of the system, and the switching of the authentication center is requested through the account with the super administrator authority, so that the configuration is complex; specifically, the authentication center supports that a user with super administrator authority clicks a switching button at the front end, and the front end sends a switching request to switch the standard mode and the fine mode by one key.
Fig. 4 is a schematic diagram of a system interaction timing sequence provided in this embodiment, and the process is as follows:
1. a user carries a token information request capability center standard interface;
2. the authentication center intercepts a user request, checks whether legal token information exists or not, and directly returns no error information; fig. 5 is a schematic diagram of the token checking logic provided in this embodiment. When a user sends a user request to the capability center, token information is carried in the message information of the request, the authentication center positions the token type according to the token characteristics, and the final user information is found according to different token type associations.
3. If the token information is legal, checking whether the user request is legal, judging according to the current authentication mode and the token information, and directly returning if the user request is illegal; fig. 6 is a schematic diagram of the authentication logic provided in this embodiment. According to the obtained user information, the routing is carried out in a corresponding mode according to the currently started authentication mode, namely the current authentication mode, in the authentication center, the judgment is carried out, the permission information of the user under the current mode configuration is obtained, whether the user request has the permission or not is verified, and if the permission is in accordance, the user request is forwarded to the capability center.
4. If the user request is legal, forwarding the user request to the capability center, and performing parameter assembly and verification by the capability center;
5. and forwarding the parameters and the interface corresponding to the standard interface to actual manufacturer equipment or service for data acquisition or processing.
6. And returning a processing result.
Based on the technical scheme, in the authentication center system provided by the embodiment, when the authority control is performed by the capability center, the difficulty brought to the authentication by mode switching and configuration modification is reduced, the authentication mode is subjected to conventional single-function authentication, the fine authority control is increased, and the fine granularity is higher; the switching of the authority control under different scenes by a manager of the capability center is facilitated, and the thickness and granularity of the authority control are controlled by the manager conveniently and better.
Referring to fig. 7, fig. 7 is a schematic structural diagram of an authentication device according to an embodiment of the present disclosure, where the authentication device described below and the authentication method described above are referred to in a corresponding manner, and the authentication device includes:
in some specific embodiments, the method specifically includes:
aswitching module 701, configured to switch to a target authentication mode according to a current service requirement;
an interceptingmodule 702, configured to intercept a user request when the user request is received, and determine whether token information in the user request is legal;
a detectingmodule 703, configured to detect the validity of the user request according to the token information and the target authentication mode if the token information and the target authentication mode are valid;
a sendingmodule 704, configured to send the user request to the network security capability center if the user request is legal, so that the network security capability center performs service logic processing.
In some specific embodiments, theinterception module 702 includes:
the first determining unit is used for determining the token type of the token information according to the characteristics of the token information in the user request;
and the second determining unit is used for determining whether the authority information corresponding to the token information exists under the token type.
In some specific embodiments, the second determining unit includes:
the first judgment subunit is used for returning the function authority information and the equipment authority information if the token information belongs to the account password type, and judging whether authority information corresponding to the token information exists in the function authority information and the equipment authority information or not;
and the second judgment subunit is used for returning the equipment authority information if the token information belongs to the three-party authorization code type, and judging whether the equipment authority information has authority information corresponding to the token information.
In some specific embodiments, thedetection module 703 includes:
the first analysis unit is used for analyzing the token information to obtain user information;
and the first judgment unit is used for judging whether the authority association table corresponding to the target authentication mode has the authority information corresponding to the user information.
In some specific embodiments, theswitching module 701 includes:
the third determining unit is used for determining the authority level according to the service scene corresponding to the current service requirement;
the first switching unit is used for switching to a standard authentication mode if the authority level is smaller than a preset authority level threshold value, and taking the standard authentication mode as a target authentication mode; the standard authentication mode is a user-role-authority control mode;
the second switching unit is used for switching to the fine authentication mode if the authority level is greater than or equal to the preset authority level threshold value, and taking the fine authentication mode as a target authentication mode; a user-right or role-right authority control mode in the fine authentication mode.
In some specific embodiments, thedetection module 703 includes:
the second analysis unit is used for analyzing the token information to obtain a user ID when the target authentication mode is a user-right authority control mode;
and the second judgment unit is used for judging whether the authority association table corresponding to the authority control mode of the user-authority has the authority information corresponding to the user ID.
Since the embodiment of the authentication apparatus portion and the embodiment of the authentication method portion correspond to each other, please refer to the description of the embodiment of the authentication method portion for the embodiment of the authentication apparatus portion, which is not repeated here.
The application also discloses an authentication system, comprising:
the requester is used for sending a user request to the server;
the server is used for executing the steps of the authentication method; the server comprises an authentication center and a network security capability center;
the authentication center is used for intercepting a user request and judging whether token information in the user request is legal or not; if yes, sending the user request to a network security capability center; and the network safety capacity center is used for receiving the user request and carrying out service logic processing according to the user request.
Since the embodiment of the authentication system part corresponds to the embodiment of the authentication method part, please refer to the description of the embodiment of the authentication method part, which is not repeated here.
In the following, an electronic device provided by an embodiment of the present application is introduced, and the electronic device described below and the authentication method described above may be referred to correspondingly.
The application also discloses an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the authentication method as described above when executing the computer program.
Since the embodiment of the electronic device portion and the embodiment of the authentication method portion correspond to each other, please refer to the description of the embodiment of the authentication method portion for the embodiment of the electronic device portion, which is not repeated here.
In the following, a computer-readable storage medium provided by an embodiment of the present application is introduced, and the computer-readable storage medium described below and the authentication method described above may be referred to correspondingly.
The application also discloses a computer readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the authentication method as described above.
Since the embodiment of the computer-readable storage medium portion corresponds to the embodiment of the authentication method portion, please refer to the description of the embodiment of the authentication method portion for the embodiment of the computer-readable storage medium portion, which is not repeated here.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The authentication method, device, system, electronic device and computer-readable storage medium provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.

Claims (10)

1. An authentication method, comprising:
switching to a target authentication mode according to the current service requirement;
when a user request is received, intercepting the user request, and judging whether token information in the user request is legal or not;
if yes, detecting the legality of the user request according to the token information and the target authentication mode;
and if the user request is legal, sending the user request to a network security capability center so as to enable the network security capability center to perform service logic processing.
2. The authentication method of claim 1, wherein said determining whether the token information in the user request is legitimate comprises:
determining the token type of the token information according to the characteristics of the token information in the user request;
and determining whether the authority information corresponding to the token information exists under the token type.
3. The authentication method according to claim 2, wherein the determining whether the authority information corresponding to the token information exists under the token type includes:
if the token information belongs to the account password type, returning function authority information and equipment authority information, and judging whether authority information corresponding to the token information exists in the function authority information and the equipment authority information;
and if the token information belongs to the three-party authorization code type, returning the equipment authority information, and judging whether the equipment authority information has authority information corresponding to the token information.
4. The authentication method of claim 1, wherein the detecting the validity of the user request according to the token information and the target authentication mode comprises:
analyzing the token information to obtain user information;
and judging whether the authority associated table corresponding to the target authentication mode has authority information corresponding to the user information.
5. The authentication method according to any one of claims 1 to 4, wherein the switching to the target authentication mode according to the current service requirement comprises:
determining the authority level according to the service scene corresponding to the current service requirement;
if the authority level is smaller than a preset authority level threshold value, switching to a standard authentication mode, and taking the standard authentication mode as the target authentication mode; the standard authentication mode is a user-role-authority control mode;
if the authority level is greater than or equal to a preset authority level threshold value, switching to a fine authentication mode, and taking the fine authentication mode as the target authentication mode; and the authority control mode of user-authority or role-authority in the fine authentication mode.
6. The authentication method as claimed in claim 5, wherein the detecting the validity of the user request according to the token information and the target authentication mode comprises:
when the target authentication mode is a user-right authority control mode, analyzing the token information to obtain a user ID;
and judging whether the authority information corresponding to the user ID exists in the authority association table corresponding to the authority control mode of the user-authority.
7. An authentication apparatus, comprising:
the switching module is used for switching to a target authentication mode according to the current service requirement;
the system comprises an interception module, a receiving module and a processing module, wherein the interception module is used for intercepting a user request when the user request is received and judging whether token information in the user request is legal or not;
the detection module is used for detecting the legality of the user request according to the token information and the target authentication mode if the token information and the target authentication mode exist;
and the sending module is used for sending the user request to a network security capability center if the user request is legal so as to enable the network security capability center to perform service logic processing.
8. An authentication system, comprising:
the requester is used for sending a user request to the server;
a server for performing the steps of the authentication method of any one of claims 1 to 6; the server comprises an authentication center and a network security capability center;
the authentication center is used for intercepting the user request and judging whether the token information in the user request is legal or not; if yes, sending the user request to the network security capability center; and the network security capability center is used for receiving the user request and carrying out service logic processing according to the user request.
9. An electronic device, comprising:
a memory for storing a computer program;
processor for implementing the steps of the authentication method according to any one of claims 1 to 6 when executing the computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the authentication method according to any one of claims 1 to 6.
CN202110577341.5A2021-05-262021-05-26Authentication method, device, system, electronic equipment and storage mediumActiveCN113297629B (en)

Priority Applications (1)

Application NumberPriority DateFiling DateTitle
CN202110577341.5ACN113297629B (en)2021-05-262021-05-26Authentication method, device, system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application NumberPriority DateFiling DateTitle
CN202110577341.5ACN113297629B (en)2021-05-262021-05-26Authentication method, device, system, electronic equipment and storage medium

Publications (2)

Publication NumberPublication Date
CN113297629Atrue CN113297629A (en)2021-08-24
CN113297629B CN113297629B (en)2023-03-14

Family

ID=77325188

Family Applications (1)

Application NumberTitlePriority DateFiling Date
CN202110577341.5AActiveCN113297629B (en)2021-05-262021-05-26Authentication method, device, system, electronic equipment and storage medium

Country Status (1)

CountryLink
CN (1)CN113297629B (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
JP2005149121A (en)*2003-11-142005-06-09Ricoh Co Ltd Security ensuring support program, server device for executing the program, and storage medium storing the program
CN101052032A (en)*2006-04-042007-10-10华为技术有限公司Business entity certifying method and device
CN101197711A (en)*2007-12-062008-06-11华为技术有限公司 A method, device and system for realizing unified authentication management
CN101471939A (en)*2007-12-282009-07-01中国科学院声学研究所Multitime user authentication method for fusion business system with SOA architecture
CN101707771A (en)*2009-11-172010-05-12中兴通讯股份有限公司Network authentication system and method for network side receiving terminal access
CN102984169A (en)*2012-12-112013-03-20中广核工程有限公司Single sign-on method, equipment and system
KR20130133987A (en)*2012-05-302013-12-10모다정보통신 주식회사Method for authorizing access to resource in m2m communications
CN104378348A (en)*2014-09-172015-02-25酷派软件技术(深圳)有限公司Data link authentication method and device
CN105072135A (en)*2015-09-022015-11-18中国地质大学(武汉)A cloud file sharing authorization and authentication method and system
CN107517179A (en)*2016-06-152017-12-26阿里巴巴集团控股有限公司A kind of method for authenticating, device and system
CN109617926A (en)*2019-01-282019-04-12广东淘家科技有限公司Control method, device and the storage medium of service authority
CN110113369A (en)*2019-06-272019-08-09无锡华云数据技术服务有限公司A kind of method for authenticating of based role permission control
CN111698312A (en)*2020-06-082020-09-22中国建设银行股份有限公司Service processing method, device, equipment and storage medium based on open platform

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
JP2005149121A (en)*2003-11-142005-06-09Ricoh Co Ltd Security ensuring support program, server device for executing the program, and storage medium storing the program
CN101052032A (en)*2006-04-042007-10-10华为技术有限公司Business entity certifying method and device
CN101197711A (en)*2007-12-062008-06-11华为技术有限公司 A method, device and system for realizing unified authentication management
CN101471939A (en)*2007-12-282009-07-01中国科学院声学研究所Multitime user authentication method for fusion business system with SOA architecture
CN101707771A (en)*2009-11-172010-05-12中兴通讯股份有限公司Network authentication system and method for network side receiving terminal access
KR20130133987A (en)*2012-05-302013-12-10모다정보통신 주식회사Method for authorizing access to resource in m2m communications
CN102984169A (en)*2012-12-112013-03-20中广核工程有限公司Single sign-on method, equipment and system
CN104378348A (en)*2014-09-172015-02-25酷派软件技术(深圳)有限公司Data link authentication method and device
CN105072135A (en)*2015-09-022015-11-18中国地质大学(武汉)A cloud file sharing authorization and authentication method and system
CN107517179A (en)*2016-06-152017-12-26阿里巴巴集团控股有限公司A kind of method for authenticating, device and system
CN109617926A (en)*2019-01-282019-04-12广东淘家科技有限公司Control method, device and the storage medium of service authority
CN110113369A (en)*2019-06-272019-08-09无锡华云数据技术服务有限公司A kind of method for authenticating of based role permission control
CN111698312A (en)*2020-06-082020-09-22中国建设银行股份有限公司Service processing method, device, equipment and storage medium based on open platform

Also Published As

Publication numberPublication date
CN113297629B (en)2023-03-14

Similar Documents

PublicationPublication DateTitle
US9742757B2 (en)Identifying and destroying potentially misappropriated access tokens
US9860249B2 (en)System and method for secure proxy-based authentication
US8356335B2 (en)Techniques for authentication via network connections
US8875220B2 (en)Proxy-based network access protection
US9781096B2 (en)System and method for out-of-band application authentication
US20100100950A1 (en)Context-based adaptive authentication for data and services access in a network
CN114902612A (en)Edge network based account protection service
US11277404B2 (en)System and data processing method
CN110365483B (en)Cloud platform authentication method, client, middleware and system
US20110225641A1 (en)Token Request Troubleshooting
CN105933245B (en) A Secure Trusted Access Method in Software Defined Networks
US9311485B2 (en)Device reputation management
CN114513786A (en)5G feeder automation access control method, device and medium based on zero trust
CN106789858B (en)Access control method and device and server
CN116319024B (en)Access control method and device of zero trust system and zero trust system
US10834074B2 (en)Phishing attack prevention for OAuth applications
US11784993B2 (en)Cross site request forgery (CSRF) protection for web browsers
US11582232B2 (en)Authority transfer system, server and method of controlling the server, and storage medium
CN100559763C (en) A Method for Integrity Checking of Remote Network Services
CN114389890A (en)User request proxy method, server and storage medium
US10382398B2 (en)Application signature authorization
WO2024120113A1 (en)Cloud application access control method and apparatus, and computer-readable storage medium
CN113225348A (en)Request anti-replay verification method and device
CN113297629A (en)Authentication method, device, system, electronic equipment and storage medium
CN115622736A (en) Safety verification method, device, electronic equipment and storage medium

Legal Events

DateCodeTitleDescription
PB01Publication
PB01Publication
SE01Entry into force of request for substantive examination
SE01Entry into force of request for substantive examination
GR01Patent grant
GR01Patent grant
EE01Entry into force of recordation of patent licensing contract

Application publication date:20210824

Assignee:Hangzhou Anheng Information Security Technology Co.,Ltd.

Assignor:Dbappsecurity Co.,Ltd.

Contract record no.:X2024980043364

Denomination of invention:An authentication method, device, system, electronic device, and storage medium

Granted publication date:20230314

License type:Common License

Record date:20241231

EE01Entry into force of recordation of patent licensing contract
[8]ページ先頭
©2009-2025 Movatter.jp